AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196
							
# include access to the S3 bucket and aws secrets manager in PROD c2
# resource "aws_iam_role" "codebuild_service_role" {
#   name     = "codebuild_${var.name}_role"
#   path     = "/aws_services/"

#   assume_role_policy = <<EOF
# {
#     "Version": "2012-10-17",
#     "Statement": [
#       {
#         "Effect": "Allow",
#         "Principal": {
#           "Service": [
#             "codebuild.amazonaws.com"
#             ]
#         },
#         "Action": "sts:AssumeRole"
#       }
#     ]
#   }
# EOF
# }

# resource "aws_iam_role_policy_attachment" "codebuild_service_policy_attach" {
#   role       = aws_iam_role.codebuild_service_role.name
#   policy_arn = aws_iam_policy.codebuild_service_policy.arn
# }

# # Some things about this policy I'm not perfectly sure about, like
# # should the account number be hardcoded?  Also, it reads like we'll have to
# # update it each time we have a new repository added to codecommit - that
# # or we'll need to authorize the codebuild role to be able to pull from any 
# # codecommit repo.  Which may be fine?
# resource "aws_iam_policy" "codebuild_service_policy" {
#   name        = "codebuild_${var.name}_policy"
#   description = "Policy for AWS codebuild for ${var.name}"
#   path     = "/aws_services/"

#   policy = <<EOF
# {
#    "Version":"2012-10-17",
#    "Statement":[
#       {
#          "Effect":"Allow",
#          "Action":[
#             "ec2:CreateNetworkInterface",
#             "ec2:CreateNetworkInterfacePermission",
#             "ec2:DeleteNetworkInterface",
#             "ec2:Describe*",
#             "ec2:TerminateInstances",
#             "ec2:RunInstances",
#             "ec2:CreateTags"
#          ],
#          "Resource":"*"
#       },
#       {
#       "Effect":"Allow",
#       "Action":"*",
#       "Resource":"*"
#       },
#       {
#       "Effect":"Allow",
#       "Action":"iam:PassRole",
#       "Resource":"arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/msoc-magic-machine-instance-role"
#       },
#       {
#          "Effect":"Allow",
#          "Resource":[
#             "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:/aws/codebuild/*"
#          ],
#          "Action":[
#             "logs:CreateLogGroup",
#             "logs:CreateLogStream",
#             "logs:PutLogEvents"
#          ]
#       },
#       {
#          "Effect":"Allow",
#          "Resource":[
#             "arn:${var.aws_partition}:s3:::afsxdr-binaries*"
#          ],
#          "Action":[
#             "s3:PutObject",
#             "s3:GetObject",
#             "s3:GetObjectVersion"
#          ]
#       },
#       {
#          "Sid":"PullFromECR",
#          "Effect":"Allow",
#          "Resource":[
#             "*"
#          ],
#          "Action":[
#             "ecr:GetDownloadUrlForLayer",
#             "ecr:BatchGetImage",
#             "ecr:BatchCheckLayerAvailability"
#          ]
#       },
#       {
#          "Sid":"PullFromSecretsManager",
#          "Effect":"Allow",
#          "Resource":[
#             "arn:${var.aws_partition}:secretsmanager:${var.aws_region}:${var.aws_account_id}:secret:msoc-build*"
#          ],
#          "Action":[
#             "secretsmanager:GetSecretValue"
#          ]
#       }
#    ]
# }
# EOF
# }


# Policy for the Magic Machine iam-instance-policy

resource "aws_iam_instance_profile" "magic_machine" {
  name = "msoc-magic-machine-instance-profile-${var.name}"
  role = aws_iam_role.magic_machine_instance_role.name
}

resource "aws_iam_role" "magic_machine_instance_role" {
  name               = "msoc-magic-machine-instance-role-${var.name}"
  path               = "/aws_services/"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "AssumeRoleAnywhere",
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "ec2.amazonaws.com",
            "ssm.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

resource "aws_iam_policy" "magic_machine_policy" {
  name        = "magic_machine_s3_access_${var.name}"
  path        = "/launchroles/"
  description = "This policy allows the magic machine to push the image to S3 for ${var.name}"
  policy      = data.aws_iam_policy_document.magic_machine_instance_policy_s3_binaries_doc.json
}


data "aws_iam_policy_document" "magic_machine_instance_policy_s3_binaries_doc" {
  statement {
    sid       = "AccessTheBucketItself"
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:s3:::afsxdr-binaries"]

    actions = [
      "s3:ListBucket",
      "s3:GetBucketLocation",
    ]
  }

  statement {
    sid       = "GetFromTheBucket"
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:s3:::afsxdr-binaries/*"]

    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:PutObject",
    ]
  }

  statement {
    sid    = "UseTheKey"
    effect = "Allow"
    resources = [
      "arn:${var.aws_partition}:kms:${var.aws_region}:${var.common_services_account}:${local.binaries_key}"
    ]
    actions = [
      "kms:Decrypt",
      "kms:DescribeKey",
      "kms:GenerateDataKey"
    ]
  }
}

resource "aws_iam_role_policy_attachment" "magic_machine_instance_policy_attach" {
  role       = aws_iam_role.magic_machine_instance_role.name
  policy_arn = var.xdr-s3-binaries-policy
}